What to learn from the $10 million Subway POS hack

Two Romanian hackers will serve time for targeting Subway in a $10 million point-of-sale conspiracy involving 150 restaurants in 2011.

Iulian Dolan pleaded guilty Monday to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, while Cezar Butu pleaded guilty to one count of conspiracy to commit access device fraud. Dolan was sentenced to seven years in prison while Butu received 21 months. The third alleged hacker is awaiting trial in New Hampshire, while a fourth remains at large.

It's not just the hackers who are to blame, however; Subway's sloppy business practices left the chain vulnerable.

Remote access software--the weakest link

The hacking scheme exploited remote desktop software installed on the computers connected to the point-of-sale (POS) devices. Remote access software allows a third-party to access a PC or other device, usually for the purpose of updating, repairing, or otherwise monitoring said device.

In this particular hack, Dolan identified vulnerable POS systems using the Internet. Next, Dolan hacked into these systems using the pre-installed remote desktop software, and installed key-logging software on them. The key-logging software allowed Dolan to record all of the transactions that went through the compromised systems, including customers' credit card data.

Dolan then transferred the credit card information to dump sites, where it was used to make unauthorized purchases and transfers by Oprea and, to a lesser extent, Butu.

In a similar--perhaps related--case in 2009, Romanian hackers targeted the POS systems of several Louisiana restaurants. These systems were also hacked via exploitation of remote access software, which had been installed by the devices' reseller, Computer World (no relation to the IDG publication, Computerworld), for the purpose of providing remote support.

How not to get hacked

This type of hack is a cautionary tale for both consumers and small business owners, who may not even realize their point-of-sale devices are running pre-installed remote access software.

Remote access software can be a godsend for business owners who aren't all that tech-savvy, since it allows someone offsite to control and troubleshoot a device from afar. If your device has remote access software installed, take these steps to help keep the hackers away:

Regularly check your Windows Task Manager (press Ctrl+Alt+Delete and click "Start task manager") to ensure that there are no shady processes running when they shouldn't be.

Change the default password of the remote access software.

Update your computer regularly and use a good antivirus program, which will help keep sketchy programs (such as keyloggers) from being installed on your computer.

According to Verizon's 2012 Data Breach Investigations Report, 97 percent of data breaches are avoidable using simple measures, such as using firewalls on all Internet-connected services, changing default credentials, and monitoring third parties that manage your business's point-of-sale systems.

In other words, if there is remote access software installed on your point-of-sale computer because a third party needs to access it, it's very important to ensure that that third party also keeps its security up to par.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sarah Jacobsson Purewal

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place